merge: laxer HTML sanitisation for admin-controlled text - fixes #447 (!454 )

View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/454 Closes #447 Approved-by: Marie <marie@kaifa.ch>
merge: hide images/videos in og cards, when under a CW - fixes #487 (!488 )
2024-04-12 23:43:27 +00:00 · 2024-04-11 20:40:38 +00:00 · 2024-04-07 16:58:13 +01:00 · 2024-03-03 12:41:49 +00:00
5 changed files with 23 additions and 5 deletions
--- a/packages/backend/src/server/web/views/note.pug
+++ b/packages/backend/src/server/web/views/note.pug
@ -5,8 +5,8 @@ block vars
 	- const title = user.name ? `${user.name} (@${user.username})` : `@${user.username}`;
 	- const url = `${config.url}/notes/${note.id}`;
 	- const isRenote = note.renote && note.text == null && note.fileIds.length == 0 && note.poll == null;
-	- const images = (note.files || []).filter(file => file.type.startsWith('image/') && !file.isSensitive)
-	- const videos = (note.files || []).filter(file => file.type.startsWith('video/') && !file.isSensitive)
+	- const images = note.cw ? [] : (note.files || []).filter(file => file.type.startsWith('image/') && !file.isSensitive)
+	- const videos = note.cw ? [] : (note.files || []).filter(file => file.type.startsWith('video/') && !file.isSensitive)

 block title
 	= `${title} | ${instanceName}`
--- a/packages/frontend/src/components/MkSignupDialog.rules.vue
+++ b/packages/frontend/src/components/MkSignupDialog.rules.vue
@ -65,7 +65,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 import { computed, ref } from 'vue';
 import { instance } from '@/instance.js';
 import { i18n } from '@/i18n.js';
-import sanitizeHtml from 'sanitize-html';
+import sanitizeHtml from '@/scripts/sanitize-html.js';
 import MkButton from '@/components/MkButton.vue';
 import MkFolder from '@/components/MkFolder.vue';
 import MkSwitch from '@/components/MkSwitch.vue';
--- a/packages/frontend/src/components/MkVisitorDashboard.vue
+++ b/packages/frontend/src/components/MkVisitorDashboard.vue
@ -56,7 +56,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 <script lang="ts" setup>
 import { ref } from 'vue';
 import * as Misskey from 'misskey-js';
-import sanitizeHtml from 'sanitize-html';
+import sanitizeHtml from '@/scripts/sanitize-html.js';
 import XSigninDialog from '@/components/MkSigninDialog.vue';
 import XSignupDialog from '@/components/MkSignupDialog.vue';
 import MkButton from '@/components/MkButton.vue';
--- a/packages/frontend/src/pages/about.vue
+++ b/packages/frontend/src/pages/about.vue
@ -130,7 +130,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 </template>

 <script lang="ts" setup>
-import sanitizeHtml from 'sanitize-html';
+import sanitizeHtml from '@/scripts/sanitize-html.js';
 import { computed, watch, ref } from 'vue';
 import * as Misskey from 'misskey-js';
 import XEmojis from './about.emojis.vue';
--- a/packages/frontend/src/scripts/sanitize-html.ts
+++ b/packages/frontend/src/scripts/sanitize-html.ts
@ -0,0 +1,18 @@
+/*
+ * SPDX-FileCopyrightText: dakkar and other Sharkey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+import original from 'sanitize-html';
+
+export default function sanitizeHtml(str: string | null): string | null {
+	if (str == null) return str;
+	return original(str, {
+		allowedTags: original.defaults.allowedTags.concat(['img', 'audio', 'video', 'center']),
+		allowedAttributes: {
+			...original.defaults.allowedAttributes,
+			a: original.defaults.allowedAttributes.a.concat(['style']),
+			img: original.defaults.allowedAttributes.img.concat(['style']),
+		},
+	});
+}
Author	SHA1	Message	Date
dakkar	6745b43ed9	merge: laxer HTML sanitisation for admin-controlled text - fixes #447 (!454 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/454 Closes #447 Approved-by: Marie <marie@kaifa.ch>	2024-04-12 23:43:27 +00:00
dakkar	e0afeff248	merge: hide images/videos in og cards, when under a CW - fixes #487 (!488 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/488 Closes #487 Approved-by: Marie <marie@kaifa.ch> Approved-by: Amelia Yukii <amelia.yukii@shourai.de>	2024-04-11 20:40:38 +00:00
dakkar	56dca6dbf5	hide images/videos in og cards, when under a CW - fixes #487	2024-04-07 16:58:13 +01:00
dakkar	00a6eb04c4	laxer HTML sanitisation for admin-controlled text - fixes #447 I have intentionally not changed the sanitiser used in `packages/backend/src/server/api/endpoints/users/report-abuse.ts` because that one deals with HTML sent by random users, so we should trust it less. Also I have not touched `packages/frontend/src/components/MkAutocomplete.vue` because that's just cleaning up emoji names.	2024-03-03 12:41:49 +00:00